Introducing Exploit Observer — More than Shodan Exploits, Less than Vulners

🇮🇳 Ayush Singh

·

Follow

Published in

A.R.P. Syndicate

·

4 min read

·

Jan 12, 2024

--

Listen

Share

In this article, I’m going to tell you how Exploit Observer has revolutionized the ways of automated exploit discovery & analysis at A.R.P. Syndicate.

Art of being a sniper is all around being precise & stealthy at all times. The more precisely & stealthily you hit, the better you get & the faster you achieve multiple hits, the best you get to be. That’s the kind of intelligent offensive fuzzing automation I wanted to build since I was 16.

MOTIVATION

Time is a relative thing. It not just depends on frame of reference but also on who is navigating it. As a lazy navigator in the mysterious realms of offensive cybersecurity, the exploit discovery aspect used to disappoint me the most. I felt like it just needed to be easier & quicker. So, I decided to work on evolving it.

There are traditional sub-standard platforms around it like Shodan Exploits & popular cutting-edge platforms like Vulners but none of them were either capable or just interested in being what I needed them to be. That’s why Exploit Observer came into existence.

CAPABILITIES

Exploit Observer’s API not only queries a frequently updated & massive database of Vendor Advisories, Github/Gitlab Repos, Medium Articles & YouTube Videos but also automatically detects and tags them by file format/programming language which is quite handy IMO.

{
  "description": "Exploit Observer has 37 entries in 8 file formats related to CVE-2021-3450. The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).",
  "entries": {
    "c": [
      "https://github.com/jntass/tassl-1.1.1k",
      "https://github.com/scriptzteam/glftpd-v2.11ab-stable"
    ],
    "dockerfile": [
      "https://github.com/fredrkl/trivy-demo"
    ],
    "go": [
      "https://github.com/isgo-golgo13/gokit-gorillakit-enginesvc",
      "https://github.com/vinamra28/tekton-image-scan-trivy"
    ],
    "html": [
      "https://medium.com/@a-r-p-syndicate/23eaea466e4a"
    ],
    "markdown": [
      "https://github.com/chnzzh/openssl-cve-lib",
      "https://github.com/dntyo/f5_vulnerability",
      "https://github.com/thecyberbaby/trivy-by-aquasecurity",
      "https://github.com/tianocore-docs/thirdpartysecurityadvisories"
    ],
    "python": [
      "https://github.com/rnbochsr/yr_of_the_jellyfish"
    ],
    "shell": [
      "https://github.com/bollwarm/sectoolset",
      "https://github.com/teresaweber685/book_list"
    ],
    "unknown": [
      "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
      "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b",
      "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845",
      "https://kc.mcafee.com/corporate/index?page=content&id=SB10356",
      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP",
      "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html",
      "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013",
      "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc",
      "https://security.gentoo.org/glsa/202103-03",
      "https://security.netapp.com/advisory/ntap-20210326-0006",
      "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd",
      "https://www.openssl.org/news/secadv/20210325.txt",
      "https://www.openwall.com/lists/oss-security/2021/03/27/1",
      "https://www.openwall.com/lists/oss-security/2021/03/27/2",
      "https://www.openwall.com/lists/oss-security/2021/03/28/3",
      "https://www.openwall.com/lists/oss-security/2021/03/28/4",
      "https://www.oracle.com//security-alerts/cpujul2021.html",
      "https://www.oracle.com/security-alerts/cpuApr2021.html",
      "https://www.oracle.com/security-alerts/cpuapr2022.html",
      "https://www.oracle.com/security-alerts/cpujul2022.html",
      "https://www.oracle.com/security-alerts/cpuoct2021.html",
      "https://www.tenable.com/security/tns-2021-05",
      "https://www.tenable.com/security/tns-2021-08",
      "https://www.tenable.com/security/tns-2021-09"
    ]
  }
}

Supported queries include but are not limited to — CVE-2021-3450 [CVE] , GHSA-wfh5-x68w-hvw2 [GHSA] , EDB-10102 [EXPLOITDB] , PD/http/vulnerabilities/vbulletin/vbulletin-ajaxreg-sqli [NUCLEI] , MSF/auxiliary_admin/2wire/xslt_password_reset [METASPLOIT] , YT/ccqjhUmwLCk [YOUTUBE] & grafana [TECHNOLOGY] .

It also has a CLI Utility — Puncia, around which I wrote my previous article & is also used to push alerts to our Telegram Channel.

A.R.P. Syndicate’s Attack Surface Management Platform (ASM) uses Exploit Observer to not only to keep track of public exploits but also curate standard detection signatures & descriptions using Generative A.I. which is not very great on its own right now but it’s definitely a real time saver.

FUTURE

We continue to enhance its existing capabilities & plan to release a new feature this quarter that will aid in malware analysis.

UPDATE: If you feel like expressing your opinions regarding this article or want to read opinions of others then feel free to go through the discussion happening at —https://news.ycombinator.com/item?id=38963026

There is no end but just beginning to the future.